The expected refresh of the ISO/IEC 20000 Part 1 standard was published in September by ISO and this heralded the start of a two-year transition period for currently-certified organizations to move to the new version. As part of the release of the CertiKit ISO20000 Toolkit Version 8, we thought it might be helpful to give you an idea of the main changes included in the 2018 version together with the odd opinion about them.
The major part of the update will come as no surprise to anyone familiar with ISO management system standards and the “Annex SL” or “High Level Structure” concept. This is the idea that all ISO standards that have a management system should be as similar as possible so that running an integrated management system across multiple standards (such as ISO20000 and ISO27001, or ISO9001) becomes easier. So the format and structure of the new ISO20000 now has the same headings and, in many cases wording, as other standards that have been similarly “Annex SL-ed” over the last few years (which is now pretty much all of them – ISO20000 was late to the party).
The Context section is new to ISO20000 and requires that the internal and external issues that may affect the Service Management System (SMS) are defined, along with the interested parties and their requirements. There is more emphasis on risk management at various levels and a requirement to consider opportunities (i.e. “good risks”) as well. References to Plan-Do-Check-Act which played a major part in the 2011 version have been removed to allow the use of whichever improvement method you prefer.
The body of the IT service management-related requirements are now in Section 8 – Operation, under the following sub-headings:
8.1 Operational planning and control
8.2 Service portfolio
8.3 Relationship and agreement
8.4 Supply and demand
8.5 Service design, build and transition
8.6 Resolution and fulfilment
8.7 Service assurance
The IT service management areas and processes covered by the new version remain pretty much the same, with the addition of knowledge, demand and asset management which now have brief sections to themselves. Incident and service request management have been separated from each other, as have availability and service continuity management. Service reporting has been moved to Section 9 and generalised in favour of more specific reporting requirements being located in the relevant process sections themselves.
In general, it’s fair to say that many areas have been simplified and generalised, with fewer specific requirements that need to be met, although the base principles of each area have been maintained. Some of the requirements that have caused difficulties in the past have been removed or toned down – for example the list of items that must be included in a service contract has been reduced and the need to know about subcontractors is no longer included.
For those organizations that are already certified to ISO20000 and have a reasonably mature SMS in place, the 2018 version won’t present them with many difficulties, representing as it does more of a rejig of the headings than an addition of any significantly new material.
The previous update from the 2005 to the 2011 version made ISO20000 more difficult and possibly put many organizations off the idea of going for certification. With the 2018 version however, a fair balance has been struck between simplifying the main process requirements whilst still covering the subject adequately so that certification to ISO20000 still means something. And the fact that it now has the same management system structure as other standards makes it easier to integrate as part of an overall ISO-based approach to organisation management and improvement.
In summary, ISO has done a good job.